Re: Can You Prevent Some Users From Telneting to their Accounts?


Subject: Re: Can You Prevent Some Users From Telneting to their Accounts?
From: Dan Burcaw (dburcaw@terraplex.com)
Date: Sun Oct 17 1999 - 19:26:14 MDT


Bill,

You can do this two ways.

1) You can set a users shell to /bin/false so when they try to telnet in
   it runs /bin/false, which of course does nothing and boots them out.

2) You can edit /etc/pam.d/login so that it looks like this:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_shells.so
auth required /lib/security/pam_listfile.so \
                  onerr=fail item=user sense=allow file=/etc/loginusers
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so

Basically, this makes it so PAM checks /etc/loginusers each time someone
tries to login and if their username is not in that file, does not allow
the login.

One caveat... if you put in a users log followed by a space or multiple
spaces, PAM sometimes thinks the users login includes a space and so it
doesn't let them in.

You could change the sense=allow in the long line above to sense=deny
so it acts more ftpusers-like.

Hope this helps,
Dan

Terra Soft Solutions, Inc.
   Yellow Dog Linux
   "The Ultimate Companion for a Dedicated Server"
   http://www.yellowdoglinux.com/



This archive was generated by hypermail 2a24 : Tue Nov 02 1999 - 16:20:58 MST